Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configuring CA signed SSL certificates for vCenter Single Sign-On in vSphere 5.5 (2058519)

Purpose

Note: This article applies specifically to vSphere 5.5. If you are using vSphere 5.1, see Configuring CA signed SSL certificates for vCenter Server Single Sign-On in vCenter Server 5.1 (2035011). If you are using vSphere 5.0, see Implementing CA signed SSL Certificates with vSphere 5.0 (2015383).

This article guides you through the configuration of Certificate Authority (CA) certificates for the vCenter Single Sign-On service on vSphere 5.5. VMware has released a tool to automate much of the described process below.  See the Replacing vCenter Certificates With the vCenter Certificate Automation Tool section of the vSphere Security Guide before performing the steps in the article. 
 
In case you are unable to use the tool, this article assists in eliminating common causes for problems during certificate implementation, including configuration steps and details, and helps avoid common misconfigurations in the implementation of custom certificates in your environment.

This article assumes that:
  • You have completely installed all of the core vSphere 5.5 components in the environment, including: 
    • vCenter Single-Sign on 
    • vCenter Server 
    • vCenter Inventory Service 
    • the vSphere Web Client
  • You have performed a backup of the entire vSphere 5.5 installation.
  • You have installed OpenSSL Version 0.9.8 on the vCenter Single Sign-On system

    Important: OpenSSL Version 0.9.8 must be used. If you do not use this version, the SSL implementation will fail.

  • You have installed OpenSSL to C:\OpenSSL-Win32. If it has been installed elsewhere, change the location as appropriate.

Resolution

Note: This article is part of a resolution path. See Implementing CA signed SSL certificates with vSphere 5.x (2034833) before following the steps in this article.

Creating CA assigned certificates for vSphere is a complex task. In many organizations it is required to maintain proper security for regulatory requirements. There are several different work flows required for successful implementation:
  • Creating the certificate request
  • Getting the certificate
  • Installation and configuration of the certificate for Single Sign on
These steps must be followed to ensure successful implementation of a custom certificate for vCenter server. Before attempting these steps ensure that:

Installation and configuration of the certificate for vCenter SSO

After the certificate has been created, perform these steps to complete the installation and configuration of the certificate.

Note: If you are running vCenter Server in a virtual machine, it is best practice to take a snapshot before starting this process to ensure that you can revert to it if necessary. Ensure you delete the snapshot when the process is complete.

To replace the vCenter SSO certificates:
  1. Log in to the vCenter SSO server with an administrator account.

    Notes:
    • If following Creating certificate requests and certificates for the vCenter 5.x components (2037432), all vSphere components are installed on the same server. All files should be located in C:\certs.
    • If each vSphere component is installed on a separate systems rather than all inclusive, the generated files from proceeding Steps 6 and 7 will need to be copied to each server. Once completed, each vSphere component system will have a C:\ProgramData\VMware\SSL folder containing ca_certificates.crt and a hash file.

  2. Open an elevated command prompt and type these commands to prepare the environment. For more information on opening a command prompt, see Opening a command or shell prompt (1003892).

    C:\>SET JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components

    C:\>SET PATH=%PATH%;C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso;%JAVA_HOME%\bin


    Note: The values for JAVA_HOME and PATH must not be enclosed in quotes

  3. If present, back up the SSL directory under C:\ProgramData\VMware\. This folder should contain two files: ca_certificates.crt and hash file, 8_characters.0.
  4. Register the new root certificate into the VMware Trust Store by running the commands:

    C:\> cd OpenSSL-Win32\bin

    C:\OpenSSL-Win32\bin> openssl x509 -noout -subject_hash -in C:\certs\Root64.cer


    Notes:
    • The -in c:\certs\Root64.cer used in the following commands are for environments using only a single Root Certificate Authority server. If you are using intermediate Certificate Authority servers, you must use chain.cer that was previously generated.
    • The output includes an eight digit hexadecimal value. This value will be used in Step 5. The output appears similar to:

    C:\OpenSSL-Win32\bin>openssl x509 -subject_hash -noout -in c:\certs\Root64.cer 78835296


  5. Create the new SSL directory for the SSO certificates by running the command:

    C:\> mkdir C:\ProgramData\VMware\SSL

  6. Copy the Root64.cer certificate to the SSL folder by running the command:

    C:\> copy C:\certs\Root64.cer C:\ProgramData\VMware\SSL\hash.0

    Note: From Step 3, replace hash with the eight digit hexidecimal value. For example:

    C:\> copy C:\certs\Root64.cer C:\ProgramData\VMware\SSL\78835296.0

  7. Copy the Root64.cer file to the SSL folder as well as rename it to ca_certificates.crt by running the command :

    C:\> more C:\certs\Root64.cer >> C:\ProgramData\VMware\SSL\ca_certificates.crt

  8. Use a text editor to create three separate *.properties file for each of the services replacing the items in red where appropriate. This is an example using the three services above. Ensure that the uri= URL is correct to ensure the certificates function properly.

    Note: This article uses the c:\certs directory for temporary use. Thessl=c:\certs\Root64.cer used in the following commands are for environments using only a single Root Certificate Authority server. If you are using intermediate Certificate Authority servers, you will use ssl=c:\certs\chain.cer previously generated.

    • gc.properties:

      [service]
      friendlyName=The group check interface of the SSO server
      version=1.5
      ownerId=
      productId=product:sso
      type=urn:sso:groupcheck
      description=The group check interface of the SSO server


      [endpoint0]
      uri=https://SSOserver.domain.com:7444/sso-adminserver/sdk/vsphere.local
      ssl=c:\certs\Root64.cer
      protocol=vmomi


    • admin.properties:

      [service]
      friendlyName=The administrative interface of the SSO server
      version=1.5
      ownerId=
      productId=product:sso
      type=urn:sso:admin
      description=The administrative interface of the SSO server

      [endpoint0]
      uri=https://SSOServer.domain.com:7444/sso-adminserver/sdk/vsphere.local
      ssl=c:\certs\Root64.cer
      protocol=vmomi


    • sts.properties:

      [service]
      friendlyName=STS for Single Sign On
      version=1.5
      ownerId=
      productId=product:sso
      type=urn:sso:sts
      description=The Security Token Service of the Single Sign On server.

      [endpoint0]
      uri=https://SSOserver.domain.com:7444/sts/STSService/vsphere.local
      ssl=c:\certs\Root64.cer
      protocol=wsTrust


  9. Run the ssolscli command to list all service entries from the Lookup Service:

    c:\>ssolscli.cmd listServices Lookup Service URL

    Note: Ensure you use the Fully Qualified Domain Name (FQDN) for the Lookup Service URL or the command will fail. For example:

    C:\> ssolscli.cmd listServices https://WVC08.domain.local:7444/lookupservice/sdk

    You see output similar to:



  10. Locate the three SSO services from the ssolscli output.

    Note: The SSO services can be identified by looking at the type= field.

    • Group Check. urn:sso:groupcheck

      You see output similar to:



    • SSO Admin. urn:sso:admin

      You see output similar to:



    • Security Token Service (STS). urn:sso:sts

      You see output similar to:



  11. Write the serviceId= for each of the three SSO services to separate text files. You can do this by using the echo command. For  example:

    C:\> echo <Site Name>:95f12864-d01c-4f30-ba76-1d63a8fc36ce > c:\certs\gc_id
    C:\> echo <Site Name>:fe405259-0ff3-45ef-9ead-babfe3a4ea9d > c:\certs\admin_id
    C:\> echo <Site Name>:443228f9-b9ab-4094-9b90-edc81f1f5c05 > c:\certs\sts_id


    Note: In the examples given, replace <Site Name> with the value from viSite; in the examples above the viSite is Broomfield.

  12. Using these commands, update the three SSO services:

    Important: Update the services in this order starting with Groupcheck. Performing the updates out of order prevents SSO starting.

    • For the Groupcheck Service, run the command:

      c:\> ssolscli updateService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u SSO_administrator -p SSO_administrator_password -si c:\certs\gc_id -ip c:\certs\gc.properties

    • For the Admin Service, run the command:

      c:\> ssolscli updateService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u SSO_administrator -p SSO_administrator_password -si c:\certs\admin_id -ip c:\certs\admin.properties

    • For the STS service, run the command:

      c:\> ssolscli updateService -d https://ssoserver.domain.com:7444/lookupservice/sdk -u SSO_administrator -p SSO_administrator_password -si c:\certs\sts_id -ip c:\certs\sts.properties

  13. Open Windows Explorer and navigate to C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf .
  14. Backup the existing ssoserver.p12, ssoserver.key and ssoserver.crt files.
  15. Copy the new ssoserver.p12, ssoserver.crt and ssoserver.key file to the conf directory either using the Windows Explorer or the command line:

    C:\> copy C:\certs\SSO\ssoserver.p12 C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12
    C:\> copy C:\certs\Root64.cer C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.crt
    C:\> copy C:\certs\SSO\rui.key C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.key


  16. For the new SSL certificates to take effect, restart the VMware Secure Token Service by running the commands:

    C:\> net stop VMwareSTS
    C:\> net start VMwareSTS
The SSL certificate for vCenter Single Sign-On (including the Group Check, the SSO Admin service, and Security Token Service) has successfully been updated. Next, continue to install the custom certificates for the vCenter Inventory Service. For more information, see Configuring CA signed SSL certificates for the Inventory service in vCenter Server 5.5 (2061953).

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 10 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 10 Ratings
Actions
KB: